实操-windows环境下ELK配置

参考文章：

https://www.cnblogs.com/liuyuhua/p/5711026.html

https://www.cnblogs.com/huangll99/p/6646859.html

版本说明：

elasticsearch-6.3.2

logstash-6.3.2

kibana-6.3.2-windows-x86_64

jdk1.8

win10

下载地址：

Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html

Logstash: https://www.elastic.co/downloads/logstash

Elasticsearch: https://www.elastic.co/downloads/elasticsearch

Kibana: https://www.elastic.co/downloads/kibana

帮助文档

Logstash https://www.elastic.co/guide/en/logstash/current/codec-plugins.html

Elasticsearch https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html

Kibana https://www.elastic.co/guide/en/kibana/current/index.html

一、jdk环境变量配置

jdk使用1.8在此，不多描述

二、elasticsearch启动

启动：

D:\SERVICE\elasticsearch-6.1.3\bin\elasticsearch-service.bat start

三、kibana启动

1.配置elasticsearch

Open config/kibana.yml in an editor
Set elasticsearch.url to point at your Elasticsearch instance

2.启动

Run bin/kibana (or bin\kibana.bat on Windows)

3.访问

Point your browser at http://localhost:5601

4.设置为其他电脑访问

如何需要外网访问，注意需要在kibana.yml 中配置对应ip否则只能本机访问

三、logstash配置

参考：https://blog.csdn.net/loophome/article/details/52353869

配置：

1.配置GROK表达式

表达式测试地址：需要科学上网

http://grokdebug.herokuapp.com/?#

参考：https://blog.csdn.net/yanggd1987/article/details/50486779

2.编辑配置文件——参考

input {

file {

path => "D:/SERVICE/logstash-6.3.2/test.log"

#type是给结果增加一个type属性,值为"error"的条目

type => "nginxlogtest"

#从开始位置开始读取

start_position => beginning

}

filter {

grok {

match => {

"message" => "%{IPORHOST:clientip} \- \- \[%{TIMESTAMP_ISO8601:timestamp}\] \"(%{WORD:verb} %{DATA:rawrequest})\" %{NUMBER:status} %{NUMBER:bytes} %{QS:referer} \"%{GREEDYDATA:agent}\" \"%{NUMBER:requestTime}\""

}

date {

match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z" ]

}

mutate {

convert => ["requestTime", "float"]

}

output {

elasticsearch {

hosts => "127.0.0.1:9200"

index => "nginxlogtest"

}

stdout { codec => rubydebug }

}

3.启动

.\logstash.bat -f D:\SERVICE\logstash-6.3.2\conf\nginx-test.conf

注意在测试的时候，会发现文件被读取一次后，就不会在读取。此时需要删除之前的读取缓存记录后再重新运行

删除读取记录缓存：

目录下收索 sincedb文件，并删除

4.停止服务

问题：

[ERROR] 2018-08-01 15:39:55.904 [main] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (GemfileNotFound) D:/SERVICE/logstash-6.3.2/Gemfile not found

解决：压缩包没有解压完整，需要重新解压